Employees of a global IT services company found out the hard way that hackers use even the most innocent tactics to hook their victims. Those employees around the world received an email offering a voucher for a free holiday lunch. What could possibly be wrong with that? Well, 80% of recipients, including senior security professionals, gladly took the offer. Fortunately, the phishing email was a test for employees to show just how gullible and trusting we are as human beings. Had the email been from a hacker, 4 out of 5 employees–and the company–would be on the hook for something nefarious, and only the hacker would know what that something might be.

The incredible success of phishing emails continues for the biggest reason of all: Humans can’t help being human. For that reason alone, the social engineering tactics hackers use end up being quite successful. Social engineering is any act that may cause a person to take an action that may or may not be in their best interests or that they may not do otherwise. It often includes psychological manipulation tricking people into performing actions or providing confidential information…again, that they may otherwise not do. Whether hackers agree with the definition or not, all they need to know is–it works.

From generic emails sent to millions of recipients to spearphishing emails that target individuals with specific information, hackers are continually refining their efforts. Work environments provide a “phish in a barrel” type of victim, as hackers use email subjects pretending to be from a vendor, a co-worker, or a higher-up, never failing to include an attachment that needs opening…and bam! Malware is unleashed on the company–it’s that simple. There are some common sense “don’t” steps to avoid falling for social engineering email phishing at work. Remember the most important “don’t” of all: Don’t be gullible!

Don’t click it. Unless you were expecting an attachment, don’t click it. Don’t hesitate to contact the sender directly to verify if the attachment is legitimate. Just remember to do this independently of any information in the received message.

Don’t “Act Right Away!” Suspect every email urging or threatening you to take immediate action, no matter what the subject may be. It’s a tactic to get you to act before thinking it through.

Don’t fall for generic greetings. An email sent from an alleged source like a bank or a vendor should always address you by your first and last name. Bulk email phishing uses generic greetings like “sir or madam” because they don’t have your specific name.

Don’t believe what you see. Hackers put together exact duplicates of web sites you trust, only to get you to provide account numbers, passwords, etc. Check for misspellings and bad grammar, and always check the URL carefully as hackers spoof the URL using very sneaky changes not likely to be noticed.

Don’t give it up. Companies rarely ask for personal information in an email, nor do vendors ask for important company information in emails. Even if they do request it, don’t send it in email. Email is not a secure form of communication in most instances.

Anyone want a free prize? Of course we all do. However, sometimes those “free” gifts come with a price attached. And it can be quite expensive when that price is malware on your mobile device. A recently discovered scam has been spotted by researchers at Symantec that promises free prizes if you merely provide a few personal tidbits. That sounds harmless, so, why not? All they want is some information, right?

Well, hold your horses, there Partner. What they really want is most likely to install malware onto your device. If they don’t want to do that, they want access to your Facebook friends list. In exchange, they promise Amazon gift cards, free iPhones, or even cash. But they are all scams, so don’t let them lasso you.

The scammers are pretty good in this one, too. They don’t limit it just to one operating system or type of device. Anyone with an Apple or Android product is at risk when using a browser. The fraudsters even post fake testimonials flaunting how fantastic their scam is. Those “testimonials” are all phony and just trickery.

The good news is that many, if not most, of the antivirus software products are ready for this one and as long as you have the latest updates installed, you should be protected. If you don’t, stop right now and go take a gander at what is available and apply it right now.

In addition, make sure all the latest critical and security updates are applied to your devices. Apple recommends enabling the “Block Pop-ups” and “Fraudulent website warning” options for iOS too. If you don’t see these options, you may not have the latest updates.

Remember to use caution when browsing, whether on your desktop, laptop, or sitting atop your favorite steed using your smartphone. All devices are all at risk, regardless of what browsers you use and where you’re using them. Consider using a pop-up blocker on all your devices. There are many options. Just make sure to do a little research to make sure you’re using a legitimate product rather than just manure.

Criminals commit crimes because, well, because by doing so, they can make a profit. And, shockingly, according to a recently released nine-month study from a criminology researcher in the UK and Bromium (a security product company) called Into The Web of Profit, threat actors are making and even reinvesting about $1.5 trillion worth of profits. If nothing else convinces you that cybercrime is a business, that information should.

The study by Dr. Mike McGuire at the University of Surrey and Bromium looked specifically at revenue flow and distribution of profits from it with respect to money laundering, data trading, and ransomware, along with other cybercrime activities. Interestingly, they found that the criminal organizations are using a combination of both illegal and legitimate activities (such as placing online ads) to rake in the dough.

Just How Much is $1.5 Trillion?

That’s a lotta loot, in anyone’s book. But for comparison’s sake, that is equivalent to the 13th largest economy in the world in terms of gross domestic product (GDP). According to the CIA’s World Factbook, the United States is number 1 ($19.36 trillion) and Canada is number 10 on that list at $1.76 trillion, but 13 is very respectable. That’s about the same as South Korea, which is no slouch when it comes to its economy, and more than Australia, Spain, and Mexico.

How Much Do Each of the Crime Categories Make?

We are glad you asked! From illicit online markets, that would be about $860 billion. If they steal intellectual property or trade secrets, it’ll bring in $500 billion. Data trading? $160 billion. Ransomware and all kinds of cybercrime-as-a-service were at a much lower income bringing in a respective $1 billion and $1.6 billion. While it seems like small potatoes in comparison, the report also found that zero-day iOS exploits alone bring in about $250,000. And since cybercriminals tend to share work or use templates to bring in more bang for the buck, malware kits make the cybercriminals about $200-600 per exploit. Considering one person can do many attacks in one sitting, that’s not a bad payday.

It’s Just Business

Cybercriminal organizations are indeed working as businesses these days. Some of them even have customer service numbers and email addresses. According to the report’s author, Dr. McGuire, “this is creating a kind of ‘monstrous double’ of the legitimate information economy – where data is king.” Companies like Google, Facebook, and other social media platforms where reviews and ratings are offered make it easier for criminals to commit the crimes and not bother getting a “real” job. An individual hacker can make more than a newly graduated college student and “managers” in the world of cybercrime can even make millions per job.

What Can You Do?

Unfortunately, once your information is somewhere out of your control, it’s just that…out of your control. But, you can take preventative measures:

Check payment card charges often. It’s pretty easy to log in to your accounts these days. Make a quick check more often than monthly to address potential fraud much quicker. This reduces your cost and the costs for your financial organization.

Monitor your credit reports. All people with credit in the U.S. can get a free copy of their credit reports each year at annualcreditreport.com. The three credit bureaus will provide one each and unless you have a particular issue, stagger when you request them. Ask for one every four months to keep better tabs on potential fraud.

If you can freeze your credit, do so. As a result of the Equifax breach last year, about half the population of the U.S. was a victim of a breach that included social security numbers. Even if you weren’t in that list, consider freezing your credit. This will prevent anyone (including you) from accessing your credit reports. If you don’t need to get credit, find new housing, or are not looking for a new job, this may be an option for you. Remember that even if you do freeze it, you can unfreeze and refreeze as necessary. Just check the lead times and charges to do this for each of the bureaus.

Monitor your healthcare records too. The information from these is even more valuable than payment card details. It can be used to commit financial crimes as well as healthcare fraud. If you see something suspicious on your benefit statement, contact your provider immediately to get it resolved.

Remember to choose the “credit” option when using payment cards if you have an option. This provides more protection should there be a breach. If a hacker gets your card number and PIN, they can potentially recreate your card and drain your bank account.

And of course, always be on alert for phishing attacks. Email is still the primary way criminals get the information they seek. Even if your organization has security tools in place, it only takes one phishing email to arrive in someone’s inbox to set off a successful attack.

As you probably know, there are some free video games out there for everyone to enjoy. Well, they are “free” with caveats most of the time, but the fact that there is no initial investment other than time makes them popular among the video gamers out there. A very popular one is called Fortnite. Its Battle Royale Mode has reportedly earned more than $126 million. And because of this popularity, it makes it a prime target for the cybercriminals among us.

Several scams have recently been spotted targeting players of Fortnite. Epic Games, the maker of the game, has been sending out warnings to players about these. They tend to target young players. They offer free or discounted V-Bucks, which is the virtual money used in the game. However, what these “free” offers really do offer are phishing scams designed to steal the login credentials and ultimately your real cash.

As a reminder, Epic has stated that there are only two official websites for Fortnight: epicgames.com and fortnite.com. If you get offers from other sites, they are very likely scams.

Epic is also warning that there are fake websites that are replicating the official sites. Make sure you really review a website to make sure it’s authentic before entering login credentials, payment card information, or other sensitive details. Epic has said that it “will never ask for your password or any other account information.” So, if you get an email or message that does ask for these, delete it right away. Never click on links or attachments in email or text messages that you are not expecting. These often contain malicious code that can do various types of harm.

There is also the option of two-factor authentication for Fortnite. It is a great idea to enable this. Players will be sent a separate unique code in email that has to be correctly entered into the site before access to their accounts will be granted. This is great additional protection and whenever it’s offered for sites that contain personally identifiable information, it should be utilized.

Remember that video game consoles these days are no longer just boxes that sit next to the television. They are computers and user of them are not only vulnerable to phishing and theft of the payment card information saved in the accounts, but they also need to be updated with patches from time to time. When you see that notification on the game console, apply it. If possible, just set it to automatically apply updates to avoid leaving the system vulnerable to attacks.

Fortnite currently claims to have more than 45 million players around the globe. It’s available on various platforms including game consoles as well as computers and mobile devices. Keep all of these updated at all times to lower your cybersecurity risks.

Everyone likes to get free stuff. Admittedly it’s better if it’s a free vacation or free money. However, researchers at Palo Alto Networks have found a way you can get FreeMilk. Hey, free is free! There is bad news, of course. It comes in the form of malware. The schemers have figured out a way to intercept ongoing email “conversations” to distribute malware around the world. It exploits either a Microsoft Office or WordPad vulnerability and involves two steps.

It uses a decoy document in an email message that uses specific information about the recipient in hopes it’ll make him or her think it’s an authentic message, as part one. That’s what they put together when they intercept the email conversation. This is the PoohMilk part of this. Then comes Freenki. This does the damage. It collects information such as user name, computer name, active processes on the computer, and can take screenshots of the device. The information is then sent to the attackers who can use it for other attacks.

In spearphishing, attackers gather information about the intended targets. This could be acquired from social media profiles and posts, such as from Facebook or LinkedIn, but could also be a result of a phishing phone call (vishing). Then they use it to craft the email. Since the recipients see all the specific information, they are more likely to click a link or attachment.

Just because the information may be accurate and specific, doesn’t make any attachment free of harm. Question why a document may be coming in the middle of a conversation before clicking it. Call the sender on the phone and ask about it first. You can even send a text. Just don’t reply to the message and in this case, it’s better if you don’t send email at all.

There are literally no attachments that are safe these days. Malware can come in the form of documents, spreadsheets, executable files, text files, images, and anything else you can come up with. If you are not expecting an attachment or link, don’t click it.

This is fortunately, a limited spearphishing campaign discovered by the researchers in May of this year. But that doesn’t mean it won’t come across your inbox. Always be on the lookout for these scams.

The airline industry has a lot of information on passengers. That’s why using them for phishing attacks is useful to cybercriminals. In response to a warning from Delta Airlines, the U.S. Computer Emergency Readiness Team (US-CERT) issued an alert recently warning airlines consumers to be on the lookout for email messages attempting to gain access to personal and sensitive information.

Delta recently put a notice on its website warning its passengers of attempts to access personal data in email messages claiming to be from the airline. In these, are promises of free travel or prizes, invoices, or other documents, which Delta makes clear are fraudulent and may contain malware. The criminals go to great lengths to copy the company’s website making it difficult to tell it’s fake.

If you receive a message in email, social media, or any other way promising free travel or prizes from any airline, you should consider it suspicious. Before clicking any links or attachments, go directly to the airline’s website to verify contests or giveaways. Most likely, these are phony. If it seems too good to be true, it really is.

The Delta notice also warns consumers that they do not market to them using giveaways and prizes.

Although Delta issued this particular notice, other airlines are not immune to similar scams and phishing attacks. Southwest has been used often in scams seen on Facebook and United experienced a breach of its systems in 2015. Loyalty programs for airlines, hotels, and others are frequently targeted by scammers.

When signing up for programs like these, always use strong passwords that include:

At least eight characters

Upper and lower case letters

At least one number

At least one special character

Passwords also should not contain personal or sensitive information such as birthdates, names, or addresses. Remember to change passwords regularly, even for loyalty programs and that each password used on a site is unique to that site.

There is one last thing. If you are entering sensitive information into any website, such as payment card details, be sure to confirm that the site is secure. Look for the lock icon or the “https://” preceding the address and that the spelling of the URL is correct before hitting the “enter” or “return” key. When in doubt, don’t enter any information.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.